Pages: [1]
  Print  
Author Topic: Critical Bug in cURL  (Read 3678 times)
Peter Silie
Member


Cakes 2008
Posts: 610



« on: February 08, 2013, 07:31:53 am »

Important?
http://curl.haxx.se/docs/adv_20130206.html
Logged
Gig
In the year 3000
***

Cakes 48
Posts: 4238


WWW
« Reply #1 on: February 08, 2013, 07:46:27 am »

I don't know, but I don't see why OpenArena should use POP3, IMAP and SMTP protocols.

But I don't even know if OpenArena uses that libcurl at all... Sago or Fromhell should know a such thing. I don't know... maybe also if POP3, IMAP and SMTP are not effectively used by a program (that uses other parts of libcurl), they may be exploited anyway? I have no idea.
Logged

I never want to be aggressive, offensive or ironic with my posts. If you find something offending in my posts, read them again searching for a different mood there. If you still see something bad with them, please ask me infos. I can be wrong at times, but I never want to upset anyone.
andrewj
Member


Cakes 23
Posts: 571



« Reply #2 on: February 09, 2013, 03:29:56 am »

ioquake3 uses libcurl.

POP3, IMAP and SMTP are all email-related protocols -- I'm pretty sure ioquake3 does not use them and hence it (and OpenArena) are not affected by this vulnerability.

« Last Edit: February 09, 2013, 03:32:24 am by andrewj » Logged
Peter Silie
Member


Cakes 2008
Posts: 610



« Reply #3 on: February 10, 2013, 04:02:02 am »

As far as i had understand this bug, it is a problem of the request.
So if the client request a pop3 action, you get the problem.

But maybe i am just wrong...
Logged
sago007
Posts a lot
*

Cakes 61
Posts: 1648


Open Arena Developer


WWW
« Reply #4 on: February 10, 2013, 02:53:17 pm »

The vulnerability is not present in curl versions before 7.26.0.
I believe the windows version of ioqauke3-engine uses 7.15.5. Although that is very hard to see for certain.

The Linux version of the engine uses the curl version from the OS. It will likely be patched already.

If someones sees a server with sv_dlURL set to "smtp:SOMETHING", it may be an attempt to exploit an affected client.
Logged

There are nothing offending in my posts.
Pages: [1]
  Print  
 
Jump to: